Ethan Tira-Thompson | 30 Jul 00:21 2011

encryption type configuration

Hi, I’ve recently updated to Heimdal 1.4.1apple1 (i.e. Mac OS X Lion), and whenever I try to use kinit I get:
	$ kinit
	kinit: krb5_get_init_creds: KDC has no support for encryption type

My /Library/Preferences/ contains:
allow_weak_crypto = true
default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
default_etypes = des-cbc-crc
default_etypes_des = des-cbc-crc

among other settings
( - I
added the allow_weak_crypto)

The weird thing is if I explicitly specify des-cbc-crc on the command line it works fine:
	kinit -e des-cbc-crc #works fine

So why is it only working when I specify encryption type on the command line, and not already reading this
from the config file (it’s getting my default_realm and other server settings from the file, so I know
it's reading it…?)


Andreas Haupt | 26 Jul 11:35 2011

PKINIT with Ubuntu 11.04


does anyone know how to get PKINIT with globus proxy certificates
working with Heimdal 1.4.99 (packaged with Ubuntu 11.04)? With a
self-compiled 1.2.1 it works on that system:

[znpnb195] ~ % /tmp/heimdal/bin/kinit --version
kinit (Heimdal 1.2.1)
Copyright 1995-2008 Kungliga Tekniska Högskolan
Send bug-reports to heimdal-bugs <at>
[znpnb195] ~ % /tmp/heimdal/bin/kinit -C FILE:$X509_USER_PROXY -D DIR:$X509_CERT_DIR ahaupt <at> NAF.DESY.DE
[znpnb195] ~ % klist
Credentials cache: FILE:/tmp/tmp.mjlFZuGILM
        Principal: ahaupt <at> NAF.DESY.DE

  Issued           Expires          Principal
Jul 26 11:30:50  Jul 27 12:30:50  krbtgt/NAF.DESY.DE <at> NAF.DESY.DE

With the packaged version I get this error:

[znpnb195] ~ % kinit --version
kinit (Heimdal 1.4.99)
Copyright 1995-2010 Kungliga Tekniska Högskolan
Send bug-reports to heimdal-bugs <at>
[znpnb195] ~ % kinit -C FILE:$X509_USER_PROXY -D DIR:$X509_CERT_DIR ahaupt <at> NAF.DESY.DE
kinit: krb5_get_init_creds: Create CMS signedData: RSA private encrypt failed: 569888

Anything that needs to be done additionally now? The client seems to get
stuck already at the initialization - it doesn't even contact the KDC.

(Continue reading)

Stefan (metze) Metzmacher | 26 Jul 02:18 2011

Some more patches from lorikeet-heimdal

Hi Love,

what do you think about this patches.

From f9913570f0c424015c4270ace1c4f6a47a3f361f Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze <at>>
Date: Sun, 24 Jul 2011 20:55:36 +0200
Subject: [PATCH 1/5] kdc: only pass HDB_F_CANON if the client specified b->kdc_options.canonicalize

 kdc/krb5tgs.c |   10 +++++++---
 1 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
index b0d5455..85b0be0 100644
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
 <at>  <at>  -1508,6 +1508,7  <at>  <at>  tgs_build_reply(krb5_context context,

     Key *tkey_check;
     Key *tkey_sign;
+    int flags = 0;

     memset(&sessionkey, 0, sizeof(sessionkey));
     memset(&adtkt, 0, sizeof(adtkt));
 <at>  <at>  -1517,6 +1518,9  <at>  <at>  tgs_build_reply(krb5_context context,
(Continue reading)

Harald Barth | 25 Jul 15:06 2011

Re: Heimdal in Lion

The broken ssh in Lion has been assigned Bug ID# 9743343 (amongst
other duplicates). If there is anyone with information on progress on
this, I would be pleased to know. Otherwise I have to prepare a
workaround (in effect shipping a replacement ssh to these users which
want to use our services from OSX Lion), make the support web pages
etc etc. All resulting in more "Kerberos does not work, why are you
using that s***" talk which I really don't need.


PS: Since release (5 days) we have 2 uses which have fallen for the
"over 250 new features of OSX Lion" and no longer can log in to our

doug quaid | 25 Jul 09:38 2011

Disable password change for users via kadmind.acl or other

Is it possible to prevent all users from changing their password via kadmin? I am using Heimdal1.2 As far
as I can tell there is no way to do so. I run kadmin as a user,  the 'privileges' command says "none" and 'get'
fails, but I am able to issue the 'passwd' command.I have tried adding joe   get joe to kadmind.acl
with the expectation that joe would only have 'get' privileges but this still does not prevent joe from
changing joe's password.
Is there another way ? 

Stefan (metze) Metzmacher | 24 Jul 17:37 2011

lib/krb5: Allow any kvno to match when searching the keytab.

Hi Love,

is this patch acceptable for you?

Stefan (metze) Metzmacher | 24 Jul 17:34 2011

kdc: fix comparision between krb5int32 (int) and unsigned int

Hi Love,

I noticed a regression with this comit:

commit f5f9014c90cdf795867ad336803caf802bac7fed
Author: Love Hornquist Astrand <lha <at>>
Date:   Fri Apr 29 20:25:05 2011 -0700

    Warning fixes from Christos Zoulas

    - shadowed variables
    - signed/unsigned confusion
    - const lossage
    - incomplete structure initializations
    - unused code
 kdc/krb5tgs.c |   15 ++++++++-------
 1 files changed, 8 insertions(+), 7 deletions(-)

Casting (int) to (size_t) is wrong.

Stefan (metze) Metzmacher | 24 Jul 17:29 2011

Set improved enctypes parameter defaults to better match the RFC.


is commit f93a56f931e91c7b8eeec83b94015604bbc898f1 of heimdal really

In Samba we needed to set c->use_strongest_server_key = TRUE in order to get
the same behavior as with heimdal 1.4.


Russ Allbery | 24 Jul 07:49 2011

Linking with Heimdal on Lion

Lion comes with Heimdal Kerberos libraries and an MIT Kerberos
compatibility shim.  Unfortunately, that shim doesn't implement
krb5_appdefault_*, which breaks the ability to get settings out of
krb5.conf.  I know those functions are available in the underlying Heimdal
libraries (but the calling sequence for the krb5_realm parameter is
different, which is probably why there has to be a compatibility shim).

All my existing configure machinery finds the MIT shim on Lion and
therefore thinks it can call krb5_appdefault_* with the MIT calling
convention, which results in a syslog'd error message and failure.

Does anyone know how I find and link against the actual Heimdal libraries
so that I can detect that I'm using Heimdal, use the appropriate
krb5_realm definition, and call the real krb5_appdefault_* functions?

(I don't have any Mac OS X systems personally.)


Russ Allbery (rra <at>             <>

Jelmer Vernooij | 22 Jul 14:19 2011

[PATCH] cf: Also enable pthreads on Linux 3.

From: Jelmer Vernooij <jelmer <at>>

 cf/pthreads.m4 |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/cf/pthreads.m4 b/cf/pthreads.m4
index 7ce7310..209e4f3 100644
--- a/cf/pthreads.m4
+++ b/cf/pthreads.m4
 <at>  <at>  -41,7 +41,7  <at>  <at>  case "$host" in
 *-*-linux* | *-*-linux-gnu)
 	case `uname -r` in
-	2.*)
+	2.*|3.*)


Linus Nordberg | 17 Jul 11:08 2011

Replay cache in use?


It seems to me that Heimdal has a replay cache (lib/krb5/replay.c) but
that it's not being used.  Is that correct and if so, why is it not
being used?